Oracle Autonomous AI
Database (ADB) provides a powerful feature called Table
Hyperlinks, also known as Pre-Authenticated Request (PAR) URLs, which
allows you to securely access query results over HTTPS without exposing
database credentials.
When private
endpoints enter the picture, especially with “Allow public access” enabled, the
behaviour of these URLs can be a little confusing. In this post, we’ll walk
through:
- What URLs are
generated
- How public and
private PAR URLs differ
- Why one works only
inside a VCN
- What to expect when
accessing them from outside
Scenario Setup- Database type: Autonomous AI Database
- Connectivity: Private Endpoint enabled
- Private endpoint setting: Allow public access =
Enabled
With this
configuration, ADB is reachable: - Privately from within the VCN
- Publicly through Oracle-managed public endpoints
Now let’s see
what happens when we create a table hyperlink.
rajesh@ADB26> declare
2
l_status long;
3
begin
4
dbms_data_access.create_url(
5
sql_statement => ' select * from DEPT '
6
, service_name =>'LOW'
7
, inherit_acl => TRUE
8
, result => l_status );
9
dbms_output.put_line( l_status );
10 end;
11* /
{
"status" : "SUCCESS",
"id" : "N6Xz9aBiKGxtIcFhUneVYKatytDgmJERzQsY_Wi1PoaAeBS5nrM2WF0OQl4Vi1Pf",
"preauth_url" :
"https://dataaccess.adb.us-ashburn-1.oraclecloudapps.com/adb/p/3wVmqlHLmedig2SvPAka6LfvBpDGbPEuHa8dmgl3D80J4Pl1TO13Qsqpd_wup98-5te4uhOCwNk/data",
"private_preauth_url" : "https://l1aoobfh.adb.us-ashburn-1.oraclecloudapps.com/adb/p/3wVmqlHLmedig2SvPAka6LfvBpDGbPEuHa8dmgl3D80J4Pl1TO13Qsqpd_wup98-5te4uhOCwNk/data",
"expiration_ts" :
"2026-04-20T07:34:14.072Z"
}
Notice the two
different URLs returned.
The preauth_url it is of
this format
https://dataaccess.adb.<region>.oraclecloudapps.com/adb/p/<token>/data
this preauth_url uses
Oracle’s public ADB data access endpoint, accessible over the internet,
inherits ADB’s network access control list (ACL’s) and expiration time, and
this will works when the database has the private endpoint (as longs as public
access is allowed)
the private_preauth_url is of this format
https://<private-endpoint>.adb.<region>.oraclevcn.com/adb/p/<token>/data
this private_preauth_url
resolves to a VCN-Scoped private DNS names , only resolves inside the VCN,
intended for workloads running within the OCI ( OKE, Compute, Bastion etc )
when the
request is made for accessing the private PAR url from the host within the VCN,
everything works as expected.
demo@ADB26ai>
$ curl https://l1aoobfh.adb.us-ashburn-1.oraclevcn.com/adb/p/3wVmqlHLmedig2SvPAka6LfvBpDGbPEuHa8dmgl3D80J4Pl1TO13Qsqpd_wup98-5te4uhOCwNk/data
{
"items": [
{
"DEPTNO": 10,
"DNAME":
"ACCOUNTING",
"LOC": "NEW YORK"
},
{
"DEPTNO": 20,
"DNAME": "RESEARCH",
"LOC": "DALLAS"
},
{
"DEPTNO": 30,
"DNAME": "SALES",
"LOC": "CHICAGO"
},
{
"DEPTNO": 40,
"DNAME":
"OPERATIONS",
"LOC": "BOSTON"
}
],
"hasMore": false,
"limit": 1000,
"offset": 0,
"count": 4,
"links": [
{
"rel": "self",
"href":
"https://l1aoobfh.adb.us-ashburn-1.oraclevcn.com/adb/p/3wVmqlHLmedig2SvPAka6LfvBpDGbPEuHa8dmgl3D80J4Pl1TO13Qsqpd_wup98-5te4uhOCwNk/data"
}
]
}
The private
endpoint DNS resolves correctly, the request reaches the ADB private endpoint
and the data is returned successfully.
Now accessing
the same URL from any system outside the VCN connectivity
curl
https://l1aoobfh.adb.us-ashburn-1.oraclevcn.com/adb/p/3wVmqlHLmedig2SvPAka6LfvBpDGbPEuHa8dmgl3D80J4Pl1TO13Qsqpd_wup98-5te4uhOCwNk/data
curl: (6) Could not
resolve host: l1aoobfh.adb.us-ashburn-1.oraclevcn.com
this behaviour
is expected and by design the oraclevcn.com domain is private DNS, it is only
resolvable from within the OCI VCN, public DNS servers has no knowledge of this
hostname, so even though “Allow public access” is enabled, the Private PAR URL
remains private and inaccessible from the internet.
So the key
takeaways are when creating table hyperlink on an ADB with private endpoints, we
will received both private and public PAR urls, we can use private_preauth_url
when accessing the data within the VCN , from OCI compute, OKE, Bastion host
etc, use preauth_url
when accessing the data from outside the VCN – on prem systems or external
services – so DNS resolution failures outside the VCN are not the bug , but a
security feature.
Table
Hyperlinks combined with private endpoints give you a lot of flexibility—but
only if you clearly understand which URL is meant for which network boundary. If
you’re designing integrations or sharing PAR URLs with external consumers,
always make sure you’re distributing the public preauth_url, not the private
one.
